[Pdns-users] PowerDNSSEC Progress: ready for a first look
frank at openminds.be
Fri Jan 7 08:49:45 UTC 2011
would be an excellent "way into dnssec".
This wouldn't require any change to the existing (non-dnssec) powerdns setups, and would allow us to test with "real" things, easily migrate single domains to a dnssec setup (just change the nameservers), rollback when needed to the old and tested setup etc.
Am I correct that this would only work via AXFR style transfers from the non-dnssec pdns to the new pdns-dnssec slaves?
On 06 Jan 2011 wk 1, at 20:00, bert hubert wrote:
> On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote:
>> Excellent! BTW, can PowerDNSSEC operate in the following way as one would expect:
>> PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka
>> traditional PowerDNS) providing data to PowerDNS slaves. If you use the
>> new code with a compatible backend on the slaves (such as gsqlite3), and
>> your whois servers only point to those slaves, will it work?
> Almost! If you did that up till just now, you would have had to run 'pdnssec
> rectify-zone' on your slaves after each AXFR.
> However, thank you for raising this idea, this sounds like a very valid use
> It has just been implemented in changeset
> I tested it against an ancient server, and now I have a fully
> operational DNSSEC zone!
> It works fully automatic on retrieving a zone for which we have local keying
> In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a
> bit like 'phreebird'. http://freshmeat.net/projects/phreebird
>> = Matt
>> On Jan 6, 2011, at 10:13, bert hubert wrote:
>>> Dear PowerDNS Community,
>>> With the help of many of you, we've now brought 'PowerDNSSEC' to the point
>>> where it might make sense for you to trial it on test domains. We expect to
>>> make move some of our own important domains over to PowerDNSSEC early next
>>> week. PowerDNS.COM underlies the commercial DNS hosting service 'Express',
>>> and may have to wait a bit longer.
>>> To test, head over to http://www.powerdnssec.org (which of course is powered
>>> by PowerDNSSEC). More information is on
>>> http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started,
>>> and how to get help.
>>> In brief, PowerDNSSEC will allow you to continue operating as normal in many
>>> cases, with only slight changes to your installation. There is no need to
>>> run signing tools, nor is there a need to rotate keys or run scripts.
>>> Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic
>>> SQLite3, you should have an easy time. A small schema update is required,
>>> plus an invocation of 'pdnssec secure-zone domain-name && pdnssec
>>> rectify-zone domain-name' per domain you want to secure. And that should be
>>> Supported are:
>>> * NSEC
>>> * NSEC3 in ordered mode (pre-hashed records)
>>> * NSEC3 in narrow mode (unmodified records)
>>> * Zone transfers (for NSEC)
>>> * Import of 'standard' private keys from BIND/NSD
>>> * Export of 'standard' private keys
>>> * RSASHA1
>>> * "Pure" PostgreSQL, SQLite3 & MySQL operations
>>> * Hybrid BIND/PostgreSQL/SQLite3/MySQL operation
>>> To join the fun, download the tarball which can be found on the sites above,
>>> and let us know how it works for you!
>>> To clarify, we do not recommend taking the current code snapshot into
>>> production, but we are getting close.
>>> Kind regards,
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
Operations -- Openminds bvba http://openminds.be
frank at openminds.be +32.9 225 82 91
Schrijf je nu in op onze nieuwsbrief: http://openminds.be/nieuwsbrief
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users